ARM template, Incorrect Segment Lengths - azure

I'm trying to build an ARM template and keep getting the error:
'The template resource 'udr-sub-w05-w05-w05-agw-10.10.10.32/27' for type
'Microsoft.Network/routeTables' at line '141' and column '5' has incorrect segment lengths. A nested resource type must have identical number of segments as its resource name. A root resource type must
have segment length one greater than its resource name.
The nested template for create route tables code is below:
{
"name": "[variables('routeTable1')]",
"type": "Microsoft.Network/routeTables",
"apiVersion": "[variables('routeTableApiVersion')]",
"location": "[resourceGroup().location]",
"properties": {
"routes": [
],
"disableBgpRoutePropagation": false
}
},
{
"name": "[variables('routeTable2')]",
"type": "Microsoft.Network/routeTables",
"apiVersion": "[variables('routeTableApiVersion')]",
"location": "[resourceGroup().location]",
"properties": {
"routes": [
],
"disableBgpRoutePropagation": false
}
},
Any idea where this is going wrong? I've spent some time googling and my understanding is the "TYPE" should have one less segment than the "NAME", which I believe it has
"name": "[variables('routeTable1')]",
"type": "Microsoft.Network/routeTables",
Route table one variables
"routeTable1": "[tolower(concat('udr-', variables('subnetName1')))]",
"routeTable2": "[tolower(concat('udr-', variables('subnetName2')))]",
Thanks

Your route table name contains /, hence it thinks you are trying to create a sub resource and asks you to provide its type (you only provide parent resource type). remove the /27 thing or replace it with -27 or something like that.

Related

How do I specify multiple rows in an Azure Vulnerability Assessment baseline definition in my ARM (JSON) template?

I'm trying to add some Azure Vulnerability Assessment baseline definitions to my ARM templates. I use JSON for my ARM templates. I cannot find any documentation on how to specify certain VA baseline definitions, though, namely ones that need to have multiple rows in the baselines.
Specifically, I'm trying to add a baseline defintiion for VA2109. I can locate the documentation for how to define a baseline VA entry in a general sense, which is here...
https://learn.microsoft.com/en-us/azure/templates/microsoft.sql/servers/databases/vulnerabilityassessments/rules/baselines?tabs=json
And then I can locate the description of VA2109 in here ...
https://learn.microsoft.com/en-us/azure/azure-sql/database/sql-database-vulnerability-assessment-rules#authentication-and-authorization
But neither of those tell me how to include more than one user-role mapping. For example, below is what I currently have, which works and lets me specify that a user should have data writer role. But, I also want to specify that the user should have data reader and ddl admin roles.
{
"type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines",
"apiVersion": "2021-02-01-preview",
"name": "[concat(variables('sqlServerName'), '/', variables('databaseName'), '/default/VA2109/Default')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers/databases', variables('sqlServerName'), variables('databaseName'))]"
],
"properties": {
"baselineResults": [
{
"result": ["wibuser", "db_datawriter"]
}
]
}
}
I was able to find an example of what I want using PowerShell. In PowerShell, you can just provide and array of arrays. The PowerShell example can be found here ...
https://learn.microsoft.com/en-us/powershell/module/sqlserver/new-sqlvulnerabilityassessmentbaseline?view=sqlserver-ps#example-2--create-a-new-security-check-baseline-manually
So I adjusted my ARM to do the same thing, but it throws an error saying invalid ARM template. The adjusted ARM I tried looks like below ...
{
"type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines",
"apiVersion": "2021-02-01-preview",
"name": "[concat(variables('sqlServerName'), '/', variables('databaseName'), '/default/VA2109/Default')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers/databases', variables('sqlServerName'), variables('databaseName'))]"
],
"properties": {
"baselineResults": [
{
"result": [
["wibuser", "db_datawriter"],
["wibuser", "db_datareader"]
]
}
]
}
}
Does anybody know how to specify multiple rows in a VA baseline resource when using ARM JSON? Or perhaps know where to find documentation for all of these VA definitions?
Note that baselineResults is an array of rows.
You will need to add each row as an JSON object to that array.
Also, note that each result row should include all columns so you should also include "Principal Type" and "Authentication Type" rows.
It should look something like that:
{
"type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/rules/baselines",
"apiVersion": "2021-02-01-preview",
"name": "[concat(variables('sqlServerName'), '/', variables('databaseName'), '/default/VA2109/Default')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers/databases', variables('sqlServerName'), variables('databaseName'))]"
],
"properties": {
"baselineResults": [
{
"result": ["wibuser", "db_datawriter", "SQL_USER", "NONE"]
},
{
"result": ["wibuser", "db_datareader", "SQL_USER", "NONE"]
}
]
}
}
I added dummy values for "Principal Type" and "Authentication Type" rows, fill your own

ARM TTK throwing error for the test : Location Should Not Be Hardcoded in Azure DevOps Pipeline

I am running ARM TTK as one of the tasks in my Azure DevOps Pipeline for validating ARM Templates before a PR is merged.
One of the tests that i am using is : Location Should Not Be Hardcoded which is mentioned in the link : ARM-TTK-Tests by the name of "Location Uses Parameter"
My ARM Template name is not "azuredeploy.json" or "mainTemplate.json" . My ARM Template name is "winvm-arm.json".
I have the location defined in parameters like shown below :
"location": {
"type": "string",
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Location for all resources."
}
I also have the reference to this parameter in my resource block like shown below :
resources": [
{
"apiVersion": "2020-05-01",
"type": "Microsoft.Network/networkInterfaces",
"name": "[concat(variables('vmName'), '-nic')]",
"location": "[parameters('location')]",
"properties": {
"ipConfigurations": [
{
"name": "ipconfig1",
"properties": {
"privateIPAllocationMethod": "Dynamic",
"subnet": {
"id": "[variables('subnetRef')]"
}
}
}
]
}
}
So everything is correct as per what it should be then why is the test still flagging the error below :
Location Should Not Be Hardcoded (12 ms)
The location parameter of nested templates must not have a defaultValue property. It is "[resourceGroup().location]"
Is it because my main template name is not "azuredeploy.json" or "mainTemplate.json" and it is being treated as a nested template , is that the reason
Thank you Brian Moore. Posting your suggestion as an answer to help other community members.
this is because anything that is not the "main template" is assumed to be a nested template... main template is determined by the filename (unless you specify otherwise).
I think short term you'll have to follow the pattern - until we have a more standard way of determining name / nested.
You can refer to "Location Should Not Be Hardcoded" test catching errors in good templates

Azure Resource Manager Template: Conditional Deployment

I'm working on an ARM template and need to perform conditional deployment. For instance, I've got two network security groups defined in a variable 'subnets'.
"variables": {
"subnets": [
{
"subnetname": "AzureBastionSubnet",
"nsgname": "nsg_bastion1"
},
{
"subnetname": "client-subnet",
"nsgname": "nsg_client1"
}
]
}
The network security group 'nsg_bastion1' needs special treatment with predefined rules since it is a network security group for an Azure Bastion subnet.
'nsg_client1' will get some custom rules assigned, which don't matter at this point.
In order to differentiate between non-Bastion and Bastion-network security groups, I've created two conditional resource blocks:
"resources": [
// NSG (non-Bastion)
{
"condition": "[not(equals(variables('subnets')[copyIndex()].name, 'AzureBastionSubnet'))]",
"name": "[variables('subnets')[copyIndex()].nsg]",
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2019-11-01",
"location": "[parameters('location')]",
"properties": {},
"copy": {
"name": "nsg-c",
"count": "[length(variables('subnets'))]"
}
},
// NSG (Bastion)
{
"condition": "[equals(variables('subnets')[copyIndex()].name, 'AzureBastionSubnet')]",
"name": "[variables('subnets')[copyIndex()].nsg]",
"type": "Microsoft.Network/networkSecurityGroups",
"apiVersion": "2019-11-01",
"location": "[parameters('location')]",
"properties": {},
"resources": [
// Bastion Security Rules .....
],
"copy": {
"name": "nsg-bastion-c",
"count": "[length(variables('subnets'))]"
}
},]
The condition property checks whether the subnet is called 'AzureBastionSubnet' or not. I've verified that this works for both resource blocks alone, but it doesn't when they're included both in the code. It always throws the following error message:
Code=InvalidTemplate; Message=Deployment template validation failed:
'The resource 'Microsoft.Network/networkSecurityGroups/AzureBastionSubnet' at line '' and column '' is defined multiple times in a template.
I'd appreciate any help, thanks in advance!
Ok, I thought we had fixed this but not yet...
Even though your conditions are mutually exclusive, you can't have 2 resources with the same resourceId in the same template.
I'm guessing the difference between the two is in the securityRules? If so, simplest option may be to define 2 separate vars and then use an if() statement to swap between them based on your condition.
Failing that if you want to expand on the template can see if there is a better option...

Deploy nested resources separately

Due to separation of duty I need to split an existing ARM template into two single templates - one for the resource and one for the logging
the original templates looks like this:
"resources": [
{ // https://learn.microsoft.com/en-us/azure/templates/microsoft.datafactory/factories
"type": "Microsoft.DataFactory/factories",
"name": "[variables('dataFactoryName')]",
"apiVersion": "[variables('apiVersion')]",
"location": "[resourceGroup().location]",
"tags": {},
"identity": {
"type": "SystemAssigned"
},
"properties": {},
"resources": [
{
"type": "providers/diagnosticSettings",
"name": "[concat('Microsoft.Insights/', variables('logSettingName'))]",
"dependsOn": [
"[resourceId('Microsoft.DataFactory/factories', variables('dataFactoryName'))]"
],
"apiVersion": "2017-05-01-preview",
"location": "[resourceGroup().location]",
"tags": {},
"properties": {
"name": "[variables('logSettingName')]",
"workspaceId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', parameters('logAnalyticsObject').resourceGroup, '//providers/Microsoft.OperationalInsights/workspaces/', parameters('logAnalyticsObject').name)]",
"logs": "[parameters('logAnalyticsObject').adfv2.logs]",
"metrics": "[parameters('logAnalyticsObject').adfv2.metrics]"
}
}
]
}
The first part is quite easy, I just remove the sub-resource but how to get the second part (resource with "type": "providers/diagnosticSettings") correctly so it can be deployed from a different template?
Is this possible at all or are these strongly tied together?
I already tried different things like
"type": "Microsoft.DataFactory/factories/providers/diagnosticSettings",
"name": "[concat('Microsoft.Insights/', variables('name'))]",
but ended up with error messages like this:
Unable to process template language expressions for resource '/subscriptions/fb1e20c4-0878-4949-ac10-f92a9ac35db4/resourceGroups/swe-sdp-dv0
-rgp-adp/providers/Microsoft.Resources/deployments/DataFactory_LogAnalytics_Resource' at line '67' and column '5'. 'Unable to evaluate template language
function 'resourceId': function requires exactly one multi-segmented argument which must be resource type including resource provider namespace. Current
function arguments 'fb1e20c4-0878-4949-ac10-f92a9ac35db4,swe-sdp-dv0-rgp-anl,Microsoft.Insights,swe-sdp-dv0-oms-001'. Please see
https://aka.ms/arm-template-expressions/#resourceid for usage details.
I think to make it work I would need the right combination of "type", "name" and probably also "dependsOn"
ok, according to this, you would need to do this:
"type": "Microsoft.DataFactory/factories/providers/diagnosticSettings",
"name": "[concat(variables('dataFactoryName'), '/Microsoft.Insights/', variables('name'))]",
you dont need dependsOn, because resources are under different templates.

arm template virtualNetworkName creation appendix issue

I am trying to get a arm template running and have hit an issue with the virtualnetwork creation.
azuredeploy.json
"virtualNetworkName": {
"type": "string",
"metadata": {
"description": "Name of virtual network to be created"
},
"defaultValue": "autohav2VNET"
},
vnet-net.json
"resources": [
{
"name": "[parameters('virtualNetworkName')]",
"type": "Microsoft.Network/virtualNetworks",
"location": "[parameters('location')]",
"apiVersion": "2015-06-15",
"properties": {
"addressSpace": {
"addressPrefixes": [
"[parameters('virtualNetworkAddressRange')]"
]
},
"subnets": "[parameters('subnets')]"
}
}
]
The issue I am getting is that the vnet gets created with an appendix such as this: autohav2VNETl5g
So when this gets used to create a loadblancer, the names doe not match the defined parameter and the creation fails.
..../virtualNetworks/AUTOHAV2VNET referenced by resource .... /Microsoft.Network/loadBalancers/sqlLoadBalancer was not found.
Any suggestions?
with the data given it impossible to be sure why this is happening. you are probably passing in a value to the parameter virtualNetworkName. because if you wouldn't, than the vnet name would be: autohav2VNET.
ARM templates do not append anything anywhere just because they are arm templates. they only do what you designed them to do.
to help with debugging: how you are invoking the template and full template + full parameters file.

Resources